Sometimes an individual state law becomes de facto national legislation, as was the case with California’s SB1386. This law requires any company that maintains personal data about a resident of California, provide notification in the event of a breach. But of course, California’s economy is larger than that of many foreign countries I’ve been in, so the law had an impact far beyond its borders. A company headquartered on the other side of the country is still likely to have some California customers, so it still applies.

The same ripple effect may take place as a result of Nevada’s new law, which requires that a business encrypt all transmissions of personal information over the Internet. The law takes effect on October 1, 2008. As a result, transmitting unencrypted personal information over the Internet in any form, including email, would constitute violation. The legislation specifically defines “personal information” as a person’s name, in combination with a social security number, driver’s license number, or account number in combination with a security code, access code or password.

There are some other states that have similar legislation, including California, Texas, and Rhode Island. But the Nevada law is more specific, in that it mandates the use of encryption as a security measure, and its passage may well set the standard for companies’ security policies nationwide. There has been some criticism of the new law, in that it defines “encryption” very broadly, and does not coordinate with any industry standards. Also, penalties for violation are not clearly stated.

Compliance is of course required for Nevada businesses, although the rest of the country may wish to pay attention as well. But at least initially, compliance will be a little problematic, since unlike some other technological mandates, there are not many specifics, and Nevada companies will be left to their own devices to decide whether their security vendors’ encryption offerings are compliant with the Nevada law.

But regardless of any confusion, it’s a law that has good intention, and whether you fall under its jurisdiction or not, encrypting such information prior to transmission is just sound policy. Regular email is too easy to intercept and read, and adding encryption to it is not burdensome.